Cloud Provider Requirements

    +
    Couchbase Cloud requires certain permissions and resource capacity within your cloud provider account in order to connect and deploy clusters.

    Amazon Web Services (AWS)

    Couchbase Cloud supports deploying clusters on Amazon Web Services (AWS).

    Supported Regions

    • Americas

    • Europe

    AWS Region Location

    us-east-1

    US East (N. Virginia)

    us-east-2

    US East (Ohio)

    us-west-2

    US West (Oregon)

    ca-central-1

    Canada (Central)

    AWS Region Location

    eu-central-1

    EU (Frankfurt)

    eu-west-1

    EU (Ireland)

    eu-west-2

    EU (London)

    eu-west-3

    EU (Paris)

    eu-north-1

    EU (Stockholm)

    Required Permissions

    This section describes the AWS permissions that are required for Couchbase Cloud to be able to deploy and manage clusters in your AWS account. You should verify that your AWS account has these permissions before attempting to connect clouds and deploy clusters.

    • The following permissions are required for rotating the access keys, and are locked to the user that is created by the CloudFormation stack:

      iam:DeleteAccessKey
      iam:ListAccessKeys
      iam:DeleteUser
    • The following permissions are required to create the networking infrastructure in a VPC, and are locked to the VPC:

      ec2:AuthorizeSecurityGroupEgress
      ec2:AuthorizeSecurityGroupIngress
      ec2:CreateRoute
      ec2:DeleteRouteTable
      ec2:DeleteSecurityGroup
      ec2:RevokeSecurityGroupEgress
      ec2:RevokeSecurityGroupIngress
      ec2:UpdateSecurityGroupRuleDescriptionsEgress
      ec2:UpdateSecurityGroupRuleDescriptionsIngress
      ec2:RunInstances
    • The following permissions are locked to the CloudFormation stack:

      cloudformation:DeleteStack
      cloudformation:DescribeStackEvents
      cloudformation:DescribeStackResources
      cloudformation:DetectStackDrift
      cloudformation:DetectStackResourceDrift
      cloudformation:GetTemplate
      cloudformation:ListStackResources
      cloudformation:UpdateStack
    • The following permissions are required to store the Terraform state for all the cloud and cluster deployments. They are also used to store backups, and are locked to the main S3 bucket:

      s3:AbortMultipartUpload
      s3:DeleteObject
      s3:DeleteObjectTagging
      s3:DeleteObjectVersion
      s3:DeleteObjectVersionTagging
      s3:GetObject
      s3:GetObjectAcl
      s3:GetObjectLegalHold
      s3:GetObjectRetention
      s3:GetObjectTagging
      s3:GetObjectVersion
      s3:GetObjectVersionAcl
      s3:GetObjectVersionTagging
      s3:ListMultipartUploadParts
      s3:PutObject
      s3:PutObjectAcl
      s3:PutObjectLegalHold
      s3:PutObjectRetention
      s3:PutObjectTagging
      s3:PutObjectVersionAcl
      s3:PutObjectVersionTagging
      s3:RestoreObject
      s3:DescribeJob
      s3:UpdateJobPriority
      s3:UpdateJobStatus
    • The following permissions are required to store logs and support-related information about a connected cloud and cluster. These permissions are locked to the support bucket:

      s3:AbortMultipartUpload
      s3:DeleteObject
      s3:DeleteObjectTagging
      s3:DeleteObjectVersion
      s3:DeleteObjectVersionTagging
      s3:GetObject
      s3:GetObjectAcl
      s3:GetObjectLegalHold
      s3:GetObjectRetention
      s3:GetObjectTagging
      s3:GetObjectVersion
      s3:GetObjectVersionAcl
      s3:GetObjectVersionTagging
      s3:ListMultipartUploadParts
      s3:ListBucket
      s3:ListBucketVersions
      s3:PutObject
      s3:PutObjectAcl
      s3:PutObjectLegalHold
      s3:PutObjectRetention
      s3:PutObjectTagging
      s3:PutObjectVersionAcl
      s3:PutObjectVersionTagging
      s3:RestoreObject
      s3:DescribeJob
      s3:UpdateJobPriority
      s3:UpdateJobStatus
    • The following permissions are required to remove a user only from the Couchbase Cloud IAM group created via CloudFormation:

      iam:RemoveUserFromGroup
      iam:DeleteGroup
      iam:DeleteGroupPolicy
    • The following permissions are required to create Auto Scaling groups which contain the worker nodes for the EKS cluster:

      autoscaling:AttachInstances
      autoscaling:CreateAutoScalingGroup
      autoscaling:CreateLaunchConfiguration
      autoscaling:CreateOrUpdateTags
      autoscaling:DeleteAutoScalingGroup
      autoscaling:DeleteLaunchConfiguration
      autoscaling:DeleteTags
      autoscaling:Describe*
      autoscaling:DetachInstances
      autoscaling:SetDesiredCapacity
      autoscaling:UpdateAutoScalingGroup
      autoscaling:SuspendProcesses
      autoscaling:DescribeLaunchConfigurations
    • The following permissions are required to create the networking infrastructure in a VPC (Routing Tables, Subnets, Internet Gateway, NAT Gateway) and the EC2 instances under the Auto Scaling group:

      ec2:DescribeVpcs
      ec2:DescribeSubnets
      ec2:DescribeNetworkInterfaces
      ec2:DescribeAvailabilityZones
      ec2:AllocateAddress
      ec2:AssignPrivateIpAddresses
      ec2:Associate*
      ec2:AttachInternetGateway
      ec2:AttachNetworkInterface
      ec2:CreateDefaultSubnet
      ec2:CreateDhcpOptions
      ec2:CreateEgressOnlyInternetGateway
      ec2:CreateInternetGateway
      ec2:CreateNatGateway
      ec2:CreateNetworkInterface
      ec2:CreateRouteTable
      ec2:CreateSecurityGroup
      ec2:CreateSubnet
      ec2:CreateTags
      ec2:CreateVolume
      ec2:CreateVpc
      ec2:DeleteDhcpOptions
      ec2:DeleteEgressOnlyInternetGateway
      ec2:DeleteInternetGateway
      ec2:DeleteNatGateway
      ec2:DeleteNetworkInterface
      ec2:DeleteRoute
      ec2:DeleteSubnet
      ec2:DeleteTags
      ec2:DeleteVolume
      ec2:DeleteVpnGateway
      ec2:Describe*
      ec2:DetachInternetGateway
      ec2:DetachNetworkInterface
      ec2:DetachVolume
      ec2:Disassociate*
      ec2:ModifySubnetAttribute
      ec2:ModifyVpcAttribute
      ec2:ModifyVpcEndpoint
      ec2:ReleaseAddress
      ec2:UpdateSecurityGroupRuleDescriptionsEgress
      ec2:UpdateSecurityGroupRuleDescriptionsIngress
      ec2:CreateLaunchTemplate
      ec2:CreateLaunchTemplateVersion
      ec2:DeleteLaunchTemplate
      ec2:DeleteLaunchTemplateVersions
      ec2:DescribeLaunchTemplates
      ec2:DescribeLaunchTemplateVersions
      ec2:GetLaunchTemplateData
      ec2:ModifyLaunchTemplate
    • The following permissions are required to create the EKS clusters under the VPC and appropriately tag the resource:

      eks:CreateCluster
      eks:DeleteCluster
      eks:DescribeCluster
      eks:UpdateClusterVersion
      eks:ListClusters
      eks:TagResource
      eks:UpdateClusterConfig
      eks:DescribeUpdate
    • The following permissions are required to attach roles to all the EC2 instances so they have access to other AWS resources:

      iam:AddRoleToInstanceProfile
      iam:AttachRolePolicy
      iam:CreateInstanceProfile
      iam:CreatePolicy
      iam:CreatePolicyVersion
      iam:DeletePolicyVersion
      iam:CreateRole
      iam:CreateServiceLinkedRole
      iam:GetServiceLinkedRoleDeletionStatus
      iam:DeleteInstanceProfile
      iam:DeletePolicy
      iam:DeleteRole
      iam:DeleteRolePolicy
      iam:DeleteServiceLinkedRole
      iam:DetachRolePolicy
      iam:GetInstanceProfile
      iam:GetPolicy
      iam:GetPolicyVersion
      iam:GetRole
      iam:GetRolePolicy
      iam:List*
      iam:PassRole
      iam:PutRolePolicy
      iam:RemoveRoleFromInstanceProfile
      iam:UpdateAssumeRolePolicy
      iam:TagRole
      iam:UntagRole
      iam:ListInstanceProfilesForRole
      iam:ListAttachedRolePolicies
    • The following permissions are required to encrypt each cluster with its own KMS key:

      kms:GetPublicKey
      kms:Decrypt
      kms:UpdateKeyDescription
      kms:GetKeyPolicy
      kms:GenerateDataKeyWithoutPlaintext
      kms:Verify
      kms:ListResourceTags
      kms:ReEncryptFrom
      kms:GetParametersForImport
      kms:DescribeCustomKeyStores
      kms:ListKeys
      kms:GetKeyRotationStatus
      kms:Encrypt
      kms:ScheduleKeyDeletion
      kms:ListAliases
      kms:ReEncryptTo
      kms:DescribeKey
      kms:CreateKey
      kms:UntagResource
      kms:TagResource
      kms:GetPublicKey
      kms:Decrypt
      kms:UpdateKeyDescription
      kms:GetKeyPolicy
      kms:GenerateDataKeyWithoutPlaintext
      kms:Verify
      kms:ListResourceTags
      kms:ReEncryptFrom
      kms:GetParametersForImport
      kms:DescribeCustomKeyStores
      kms:ListKeys
      kms:GetKeyRotationStatus
      kms:Encrypt
      kms:ScheduleKeyDeletion
      kms:ListAliases
      kms:ReEncryptTo
      kms:DescribeKey
      kms:CreateKey
      kms:UntagResource
      kms:TagResource
    • The following permissions are required so that Terraform can save the state of connected clouds and deployed clusters:

      s3:ListAllMyBuckets

    Required Quotas

    This section describes the AWS quotas and limits that can affect the proper functioning of Couchbase Cloud in your AWS account. You should verify that the current quotas set for your account can accommodate your expected usage of Couchbase Cloud, and make any necessary increases to those quotas before connecting clouds and deploying clusters.

    VPCs per Region

    It is recommended that you increase your AWS account’s quota for VPCs per Region (the default quota is five).

    Each connected cloud creates one VPC in a given Region. This means that if you keep the default quota, then the maximum number of connected clouds you can have in each Region is four. (This is assuming that you aren’t running any other VPCs in the Region and have not deleted the default VPC.)

    If you try to connect a new cloud in a Region that has already reached its VPC quota, then the connection will fail. (Note that existing, successfully connected clouds will not be affected if you reach the VPC quota in a Region.)

    To increase your AWS account’s quota for VPCs per Region, you will need to open a support case with AWS to request a service limit increase. Ensure that you request a quota that can accommodate the maximum number of connected clouds (as well as any other VPCs) that you plan to have in a given Region of the same AWS account.

    VPC Elastic IP Addresses per Region

    It is recommended that you increase your AWS account’s quota for VPC Elastic IP addresses per Region (the default quota is five).

    Couchbase Cloud requires three Elastic IP addresses (EIPs) per connected cloud. This means that if you keep the default quota, you may encounter errors when connecting more than one cloud per Region. (This is assuming that you are not running any other VPCs that are consuming more of the EIP quota.)

    To increase your AWS account’s quota for VPC EIPs per Region, you will need to open a support case with AWS to request a service limit increase. Ensure that you request a quota that can accommodate the maximum number of connected clouds (as well as any other VPCs) that you plan to have in a given Region of the same AWS account. Since three VPC EIPs are required per connected cloud, a convenient way to calculate this quota is to take your VPCs per Region quota, and multiply it by three. So if your VPCs per Region quota is 20, then you should request that your VPC EIPs per Region be increased to 60.

    Classic Load Balancers per Region

    It is recommended that you increase your AWS account’s quota for Classic Load Balancers per Region (the default quota is 20).

    Couchbase Cloud requires n+1 Classic Load Balancers per cluster, where n is the number of nodes in the cluster. This means that if you keep the default quota, the maximum number of clusters you can have in a single Region, across all connected clouds, is ten 1-node development clusters, or five 3-node production clusters.

    To increase your AWS account’s quota for Classic Load Balancers per Region, you will need to request a service quota increase. Ensure that you request a quota that can accommodate the maximum number of clusters and nodes that you plan to have in a given Region of the same AWS account. It’s recommended that you err on the side of having a higher quota than you think you might need in case you encounter unforeseen events that require you to rapidly scale out clusters and/or deploy your own resources that require Classic Load Balancers.

    Additional Requirements

    • AWS Security Token Service (STS) must be active for the Region you select. If STS is not active, the CloudFormation stack will still deploy, but Couchbase Cloud will fail to connect to it.